<!DOCTYPE HTML>
<html lang="en-GB">

<!-- Begin mPulse library -->
<script>
	(function(){
		// Boomerang Loader Snippet version 10
		if (window.BOOMR && (window.BOOMR.version || window.BOOMR.snippetExecuted)) {
			return;
		}

		window.BOOMR = window.BOOMR || {};
		window.BOOMR.snippetExecuted = true;

		var dom, doc, where, iframe = document.createElement("iframe"), win = window;

		function boomerangSaveLoadTime(e) {
			win.BOOMR_onload = (e && e.timeStamp) || new Date().getTime();
		}

		if (win.addEventListener) {

			win.addEventListener("load", boomerangSaveLoadTime, false);

		} else if (win.attachEvent) {
			win.attachEvent("onload", boomerangSaveLoadTime);
		}

		iframe.src = "javascript:void(0)";
		iframe.title = "";
		iframe.role = "presentation";
		(iframe.frameElement || iframe).style.cssText = "width:0;height:0;border:0;display:none;";
		where = document.getElementsByTagName("script")[0];
		where.parentNode.insertBefore(iframe, where);

		try {
			doc = iframe.contentWindow.document;

		} catch (e) {

			dom = document.domain;
			iframe.src = "javascript:var d=document.open();d.domain='" + dom + "';void(0);";
			doc = iframe.contentWindow.document;
		}

		doc.open()._l = function() {

			var js = this.createElement("script");

			if (dom) {
				this.domain = dom;
			}

			js.id = "boomr-if-as";

			js.src = "https://s.go-mpulse.net/boomerang/" + "TU3LW-WPX5W-YK52N-GNWRK-Z5B9X";
			BOOMR_lstart = new Date().getTime();
			this.body.appendChild(js);
		};
		doc.write('<bo' + 'dy onload="document._l();">');
		doc.close();
	})();
</script>
<!-- END mPulse library -->

   	
	
	

	<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.js"></script>
	<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.js"></script>

	<script type="text/javascript">
		if (typeof Granite !== "undefined" && Granite.I18n){
			Granite.I18n.setLocale("en_gb" || "en");
		}
	</script>
	
    <head>
    
    
    
    
    <meta charset="UTF-8"/>
    <meta name="viewport" content="width=device-width"/>
	<meta name="description" content="We investigate how certain hacking tools are used to move laterally on victims’ networks to deploy ransomware. These tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors, and more. In this blog, we focus on analyzing the worm and ransomware script. "/>
	<meta name="robots" content="index,follow"/>
	<meta name="keywords" content="endpoints,ransomware,research,articles, news, reports"/>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"/>
	<meta name="template" content="article1withouthero"/>
    <meta property="article:published_time" content="2021-06-17"/>
    <meta property="article:tag" content="ransomware"/>
    <meta property="article:section" content="research"/>
    
    <link rel="icon" type="image/ico" href="/content/dam/trendmicro/favicon.ico"/>
	<link rel="canonical" href="https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"/>

    <title>Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions</title>
			 
    

    <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600" rel="stylesheet"/>
<link href="//customer.cludo.com/css/296/1798/cludo-search.min.css" type="text/css" rel="stylesheet"/>



    
    
    

    
    
    
    
<link rel="stylesheet" href="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch.min.css" type="text/css">



    

    

    <script src="//tags.tiqcdn.com/utag/trendmicro/europe/prod/utag.sync.js"></script>
	<meta property="og:url" content="https://www.trendmicro.com/en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"/>
<meta property="og:title" content="Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions"/>
<meta property="og:description" content="We investigate how certain hacking tools are used to move laterally on victims’ networks to deploy ransomware. These tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors, and more. In this blog, we focus on analyzing the worm and ransomware script. "/>
<meta property="og:site_name" content="Trend Micro"/>
<meta property="og:image" content="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%200-DarkRad-banner.png"/>
<meta property="og:locale" content="en_GB"/>

	<meta name="twitter:card" content="summary_large_image"/>
<meta name="twitter:site" content="@TrendMicro"/>
<meta name="twitter:title" content="Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions"/>
<meta name="twitter:description" content="We investigate how certain hacking tools are used to move laterally on victims’ networks to deploy ransomware. These tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors, and more. In this blog, we focus on analyzing the worm and ransomware script. "/>
<meta name="twitter:image" content="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%200-DarkRad-banner.png"/>

</head>
    
    <body class="articlepage page basicpage context-business">
		<!-- Page Scroll: Back to Top -->
		<a id="page-scroll" title="VerticalPageScroll" href="javascript:jumpScroll($(this).scrollTop());">
			<span class="icon-chevron-up"></span>
		</a>

        
                      
     		<!-- /* Data Layer */ -->
			<script type="text/javascript">
				var utag_data = {"customer_cookie_type":"business","language_code":"en_gb","page_name":"research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/en_gb","category_id":"en_gb/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions","page_type":"unknown","site_section":"research","post_author":"Aliakbar Zahravi|Threat Researcher","post_date":"2021-06-17"};
			</script>

			<script type="text/javascript">(function(a,b,c,d){a='//tags.tiqcdn.com/utag/trendmicro/europe/prod/utag.js';b=document;c='script';d=b.createElement(c);d.src=a;d.type='text/java'+c;d.async=true;a=b.getElementsByTagName(c)[0];a.parentNode.insertBefore(d,a);})();</script>

            



            
<div class="header globalHeaderV2">

<div class="disruptorPanel">

<div class="disruptor-panel__alert">

	<div class="inner-container">
		<button class="sliding-dismiss-button">
			<span class="button-text">dismiss</span>
			<span class="icon-close"></span>
		</button>
	</div>
</div>
</div>
<div class="main-header new-main-header">
	<!-- Nav Sticky Wrapper -->
	<div class="nav-sticky-wrapper">
		<!-- Top Bar -->
		<div class="top-bar hidden-xs hidden-sm">
			<div class="inner-container">
				<div class="utility-col">
					<div class="utilityMenu utilityMenu-desktop"><nav class="utilityMenu__wrapper">

	<div class="dropdown utilityAlerts ">
	<button class="menu-button" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
		<span class="hidden menu-button__alert-count"></span>
		<span class="menu-button__icon icon-alert"></span>
		<span class="menu-button__text">Alerts</span>
	</button>
	<ul class="hidden dropdown-menu alerts-container ">
	</ul>

<ul class="dropdown-menu no-alerts"><li>No new notifications at this time.</li></ul>

</div>

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown hidden-xs ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-download"></span>
				<span class="menu-button__text">Download</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li>
							<a href="/en_gb/business/products/downloads.html#t3">
								
								Scan Engines
								
							</a>
						</li>
					
						<li>
							<a href="/en_gb/business/products/downloads.html#t4">
								
								All Pattern Files
								
							</a>
						</li>
					
						<li>
							<a href="/en_gb/business/products/downloads.html">
								
								All Downloads
								
							</a>
						</li>
					
						<li class=" is-phone-number ">
							<a href="http://downloadcenter.trendmicro.com/index.php?clk=left_nav&clkval=rss_feed&regs=GB" target="_blank" rel="noopener noreferrer" class="no-border ">
								
								Subscribe to Download Center RSS
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-cart"></span>
				<span class="menu-button__text">Buy</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="/en_gb/partners/find-a-partner.html">
								
								Find a Partner
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://store.trendmicro.com/store/tmamer/Content/pbPage.Home/pgm.4823570300/" target="_blank" rel="noopener noreferrer">
								
								Home Office Online Store
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://store.trendmicro.com/store/tmamer/html/pbPage.ManualRenew/ThemeID.7735600" target="_blank" rel="noopener noreferrer">
								
								Renew Online
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="/en_gb/forHome/products/free-tools.html" class="no-border ">
								
								Free Tools
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_gb/business/get-info-form.html">
								
								Contact Sales
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_gb/contact.html">
								
								Locations Worldwide
								
							</a>
						</li>
					
						<li class="dropdown-header hidden-context-home is-phone-number ">
							
								
								+44 (0) 203 549 3300
								
							
						</li>
					
						<li class="dropdown-header hidden-context-home ">
							
								
								Small Business
								
							
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://orp.trendmicro.com/EMEAORP" target="_blank" rel="noopener noreferrer">
								
								Renew Online
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown stretched-dropdown">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-region"></span>
				<span class="menu-button__text">Region</span>
			</button>
			



			

			
				<div class="dropdown-menu align-">
					<ul class="menu-column col-xs-12 col-sm-4 col-md-3">
						
							<li class="dropdown-header">
								
									
									The Americas
									
								
							</li>
						
							<li>
								<a href="/en_us.html">
									
									United States
									
								</a>
							</li>
						
							<li>
								<a href="/pt_br.html">
									
									Brasil
									
								</a>
							</li>
						
							<li>
								<a href="/en_ca.html">
									
									Canada
									
								</a>
							</li>
						
							<li>
								<a href="/es_mx.html" class="no-border ">
									
									México
									
								</a>
							</li>
						
							<li class="dropdown-header break-column-desktop break-column-tablet">
								
									
									Asia Pacific
									
								
							</li>
						
							<li>
								<a href="/en_au.html">
									
									Australia
									
								</a>
							</li>
						
							<li>
								<a href="/en_hk.html">
									
									Hong Kong (English)
									
								</a>
							</li>
						
							<li>
								<a href="/zh_hk.html">
									
									香港 (中文) (Hong Kong) 
									
								</a>
							</li>
						
							<li>
								<a href="/en_in.html">
									
									भारत गणराज्य (India)
									
								</a>
							</li>
						
							<li>
								<a href="/in_id.html">
									
									Indonesia
									
								</a>
							</li>
						
							<li>
								<a href="/ja_jp.html">
									
									日本 (Japan)
									
								</a>
							</li>
						
							<li>
								<a href="/ko_kr/business.html">
									
									대한민국 (South Korea)
									
								</a>
							</li>
						
							<li class=" break-column-desktop">
								<a href="/en_my.html">
									
									Malaysia
									
								</a>
							</li>
						
							<li>
								<a href="/en_nz.html">
									
									New Zealand
									
								</a>
							</li>
						
							<li>
								<a href="/en_ph.html">
									
									Philippines
									
								</a>
							</li>
						
							<li>
								<a href="/en_sg.html">
									
									Singapore
									
								</a>
							</li>
						
							<li>
								<a href="/zh_tw.html">
									
									台灣 (Taiwan)
									
								</a>
							</li>
						
							<li>
								<a href="/th_th.html">
									
									 ประเทศไทย (Thailand)
									
								</a>
							</li>
						
							<li>
								<a href="/vi_vn.html" class="no-border ">
									
									Việt Nam
									
								</a>
							</li>
						
							<li class="dropdown-header break-column-desktop break-column-tablet">
								
									
									Europe, Middle East &amp; Africa
									
								
							</li>
						
							<li>
								<a href="/en_be.html">
									
									België (Belgium)
									
								</a>
							</li>
						
							<li>
								<a href="http://www.trendmicro.cz/">
									
									Česká Republika
									
								</a>
							</li>
						
							<li>
								<a href="/en_dk.html">
									
									Danmark
									
								</a>
							</li>
						
							<li>
								<a href="/de_de.html">
									
									Deutschland, Österreich Schweiz
									
								</a>
							</li>
						
							<li>
								<a href="/es_es.html">
									
									España
									
								</a>
							</li>
						
							<li>
								<a href="/fr_fr.html">
									
									France
									
								</a>
							</li>
						
							<li>
								<a href="/en_ie.html">
									
									Ireland
									
								</a>
							</li>
						
							<li>
								<a href="/it_it.html">
									
									Italia
									
								</a>
							</li>
						
							<li>
								<a href="/en_ae.html">
									
									Middle East and North Africa
									
								</a>
							</li>
						
							<li class=" break-column-desktop">
								<a href="/en_nl.html">
									
									Nederland
									
								</a>
							</li>
						
							<li>
								<a href="/en_no.html">
									
									Norge (Norway)
									
								</a>
							</li>
						
							<li>
								<a href="/pl_pl.html">
									
									Polska (Poland)
									
								</a>
							</li>
						
							<li>
								<a href="/ru_ru.html">
									
									Россия (Russia)
									
								</a>
							</li>
						
							<li>
								<a href="/en_za/business.html">
									
									South Africa
									
								</a>
							</li>
						
							<li>
								<a href="/en_fi.html">
									
									Suomi (Finland)
									
								</a>
							</li>
						
							<li>
								<a href="/en_se.html">
									
									Sverige (Sweden)
									
								</a>
							</li>
						
							<li>
								<a href="/tr_tr.html">
									
									Türkiye (Turkey)
									
								</a>
							</li>
						
							<li>
								<a href="/en_gb.html" class="no-border ">
									
									United Kingdom
									
								</a>
							</li>
						
					</ul>
				</div>
			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button button-default" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-login"></span>
				<span class="menu-button__text">Log In</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/sign-in" target="_blank" rel="noopener noreferrer">
								
								My Support
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://esupport.trendmicro.com/en-us/home/pages/resources.aspx" target="_blank" rel="noopener noreferrer" class="no-border ">
								
								Log In to Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://community-trendmicro.force.com/Partner" target="_blank" rel="noopener noreferrer">
								
								Partner Portal
								
							</a>
						</li>
					
						
					
						
					
						<li class="dropdown-header hidden-context-business ">
							
								
								Home Solutions
								
							
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://www.trendsecure.com/my_account/signin/login" target="_blank" rel="noopener noreferrer">
								
								My Account
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://www.trendmicro.com/ilostmyandroid" target="_blank" rel="noopener noreferrer">
								
								Lost Device Portal
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://www.trendsecure.com/report_stolen/locker/report" target="_blank" rel="noopener noreferrer">
								
								Trend Micro Vault
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="http://pwm.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Password Manager
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://clp.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Customer Licensing Portal
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://esupport.trendmicro.com/oct" target="_blank" rel="noopener noreferrer">
								
								Online Case Tracking
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/sign-in" target="_blank" rel="noopener noreferrer">
								
								Premium Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://sso.trendmicro.com/sso/form/authenticate.aspx" target="_blank" rel="noopener noreferrer">
								
								Worry-Free Business Security Services
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://tm.login.trendmicro.com/authenticate/api/false/tmrm" target="_blank" rel="noopener noreferrer">
								
								Remote Manager
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://cloudone.trendmicro.com/" target="_blank" rel="noopener noreferrer">
								
								Cloud One
								
							</a>
						</li>
					
						<li class=" hidden-context-business ">
							<a href="https://signup.cj.com/member/signup/publisher/?cid=1157059" target="_blank" rel="noopener noreferrer" class="no-border ">
								
								Referral Affiliate
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://signup.cj.com/member/signup/publisher/?cid=1867119#/branded?_k=xaeu3t" target="_blank" rel="noopener noreferrer">
								
								Referral Affiliate
								
							</a>
						</li>
					
				</ul>
			

			
		</div>
	

	


	

	
	

		<!-- /* Determine if we need to act as a link button, or a drop down menu */ -->
		

		
		<div class="dropdown ">
			<button class="menu-button desktop-text button-red" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="menu-button__icon icon-contact"></span>
				<span class="menu-button__text">Contact Us</span>
			</button>
			



			
				<ul class="dropdown-menu align-">
					
						<li class=" hidden-context-home ">
							<a href="/en_gb/business/get-info-form.html">
								
								Contact Sales
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_gb/contact.html">
								
								Locations
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://success.trendmicro.com/technical-support">
								
								Support
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_gb/partners/find-a-partner.html">
								
								Find a Partner
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="/en_gb/about/events.html">
								
								Learn of upcoming events
								
							</a>
						</li>
					
						<li class="dropdown-header hidden-context-home ">
							
								
								Social Media Networks
								
							
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.facebook.com/TrendMicroEurope">
								
								Facebook
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://twitter.com/trendmicrouk">
								
								Twitter
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.linkedin.com/company/trend-micro-europe">
								
								Linkedin
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.youtube.com/user/TrendMicroEurope">
								
								Youtube
								
							</a>
						</li>
					
						<li class=" hidden-context-home ">
							<a href="https://www.instagram.com/trendmicro/">
								
								Instagram
								
							</a>
						</li>
					
						<li class="dropdown-header is-phone-number ">
							
								
								+44 (0) 203 549 3300
								
							
						</li>
					
				</ul>
			

			
		</div>
	

	<div class="dropdown utility-dropdown-search hidden-sm hidden-md hidden-lg">
		<button class="menu-button utility-search-button" type="button">
			<span class="menu-button__icon icon-search-thin"></span>
		</button>
	</div>
</nav>

</div>
				</div>
			</div>
		</div>
		<!-- Bottom Bar -->
		<div class="bottom-bar">
			<div class="inner-container">
				<nav class="mainNavMenu"><!--  Inner Container -->
<div class="inner-container">
	<!--  Logo Toggle Col -->
	<div class="logo-toggle-col">
		<div class="newlogo logo"><a href="/en_gb/business.html">
	<img class="hidden-xs" src="/content/dam/trendmicro/global/en/global/logo/logo-desktop.png" alt="Trend Micro Security"/>
	<img class="hidden-sm hidden-md hidden-lg" src="/content/dam/trendmicro/global/en/global/logo/logo-desktop.png" alt="Trend Micro Security"/>
</a>


</div>
		<div class="toggle">
	<div class="toggle-button active">
		<a href="/en_gb/business.html" data-businesscontext="true">
			Business&nbsp;
			<span class="icon-chevron-right hidden-xs"></span>
		</a>
	</div>
	<div class="toggle-button">
		<a href="/en_gb/forHome.html" data-businesscontext="false">
			For Home&nbsp;
			<span class="icon-chevron-right hidden-xs"></span>
		</a>
	</div>

</div>
		<div class="mobile-right-controls hidden visible-xs visible-sm">
			<a href="#newnavmenu-mobile" class="menu-link toggle-newnavmenu-mobile collapsed" data-toggle="collapse">
				<div class="menu-icon">
					<div class="center-bar"></div>
				</div>
			</a>
			<div class="search-mobile toggle-search-mobile collapsed" data-target="#search-mobile-wrapper" data-toggle="collapse">
				<span class="icon-search"></span>
			</div>
		</div>
	</div>
	<!--  Nav Wrapper -->
	<div class="nav-wrapper collapse to-right dont-collapse-flex-md" id="newnavmenu-mobile">
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Products
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-0" aria-haspopup="true" aria-expanded="false">
						Products
					</button>
					<div class="dropdown-menu" id="nav-dropdown-0">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-3ec142ef-de48-4165-8ff9-1c48cdd36b4a {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-3ec142ef-de48-4165-8ff9-1c48cdd36b4a">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-hcs" href="/en_gb/business/products/hybrid-cloud.html">Hybrid Cloud Security</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-workload-security" href="/en_gb/business/products/hybrid-cloud/cloud-one-workload-security.html">
	Workload Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-conformity" href="/en_gb/business/products/hybrid-cloud/cloud-one-conformity.html">
	Conformity
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-container-security" href="/en_gb/business/products/hybrid-cloud/cloud-one-container-image-security.html">
	Container Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-file-storage-security" href="/en_gb/business/products/hybrid-cloud/cloud-one-file-storage-security.html">
	File Storage Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-application-security" href="/en_gb/business/products/hybrid-cloud/cloud-one-application-security.html">
	Application Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-network-security" href="/en_gb/business/products/hybrid-cloud/cloud-one-network-security.html">
	Network Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-hcs-open-source" href="/en_gb/business/products/hybrid-cloud/cloud-one-open-source-security-by-snyk.html">
	Open Source Security
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-network-security" href="/en_gb/business/products/network.html">Network Security</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-" id="b-nav-products-network-intrusion-prevention" href="/en_gb/business/products/network/intrusion-prevention.html">
	Intrusion Prevention
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-network-advanced-threat-protection" href="/en_gb/business/products/network/advanced-threat-protection.html">
	Advanced Threat Protection
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-industrial-network-security" href="/en_gb/business/products/iot/industrial-network-security.html">
	Industrial Network Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-mobile-network-security" href="/en_gb/business/products/iot/mobile-network-security.html">
	Mobile Network Security
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-user-protection" href="/en_gb/business/products/user-protection.html">User Protection</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-" id="b-nav-products-up-endpoint-security" href="/en_gb/business/products/user-protection/sps/endpoint.html">
	Endpoint Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-up-email-security" href="/en_gb/business/products/user-protection/sps/email-and-collaboration.html">
	Email Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-up-mobile-security" href="/en_gb/business/products/user-protection/sps/mobile-security-enterprise.html">
	Mobile Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-up-web-security" href="/en_gb/business/products/user-protection/sps/web-security.html">
	Web Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-up-industrial-endpoint" href="/en_gb/business/products/iot/industrial-endpoint-security.html">
	Industrial Endpoint
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-products-detection-response" href="/en_gb/business/products/detection-response.html">Detection &amp; Response</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-detection-response-xdr" href="/en_gb/business/products/detection-response/xdr.html">
	XDR
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-detection-response-edr" href="/en_gb/business/products/detection-response/edr-endpoint-sensor.html">
	Endpoint Detection &amp; Response
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-products-detection-response-zero-trust" href="/en_gb/business/products/detection-response/zero-trust.html">
	Zero Trust Risk Insights
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Powered by</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-key-products-machine-learning" href="/content/trendmicro/en_gb/business/technologies/machine-learning">
	AI/Machine Learning
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-key-products-global-threat-intelligence" href="/en_gb/business/technologies/smart-protection-network.html">
	Global Threat Intelligence
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-products-key-connected-threat-defense" href="/en_gb/business/technologies/connected-threat-defense.html">
	Connected Threat Defense
	
</a>

</div>

</div>
	</div>
</div>

</div>
<div class="navCategory section">
<div class="white center-align  columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-all-products" href="/en_gb/business/products.html">All Products &amp; Trials</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-all-solutions" href="/en_gb/business/products/all-solutions.html">All Solutions</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-service-packages" href="/en_gb/business/services/service-one.html">Service Packages</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-products-small-business" href="/en_gb/small-business/worry-free-services-advanced.html">Small &amp; Midsize Business Security</a>
</div>
		<div class="parsys navColumnItems">
</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Solutions
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-1" aria-haspopup="true" aria-expanded="false">
						Solutions
					</button>
					<div class="dropdown-menu" id="nav-dropdown-1">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-6966e036-d882-4f5e-9764-f265b8b4111e {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-6966e036-d882-4f5e-9764-f265b8b4111e">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-cloud" href="/en_gb/business/capabilities/solutions-for/cloud.html">For Cloud</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-cloud-migration" href="/en_gb/business/products/hybrid-cloud/cloud-migration-security.html">
	Cloud Migration
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-cloud-native-app-dev" href="/en_gb/business/products/hybrid-cloud/cloud-native-application-development.html">
	Cloud-Native App Development
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-cloud-op-excellence" href="/en_gb/business/products/hybrid-cloud/cloud-operational-excellence.html">
	Cloud Operational Excellence
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-hcs-data-center-security" href="/en_gb/business/products/hybrid-cloud/security-data-center-virtualization.html">
	Data Center Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-saas-apps" href="/en_gb/business/capabilities/solutions-for/cloud.html">
	SaaS Applications
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red">Internet of Things (IoT)</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-smart-factory" href="/en_gb/business/solutions/iot/smart-factory.html">
	Smart Factory
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-connected-car" href="/en_gb/business/solutions/iot/connected-car.html">
	Connected Car
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-5g-enterprise" href="/en_gb/business/solutions/iot/enterprise-5g-iot.html">
	5G Security for Enterprises
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-risk">Risk Management</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-ransomware" href="/en_gb/business/capabilities/solutions-for/ransomware.html">
	Ransomware
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-end-support-systems" href="/en_gb/business/capabilities/solutions-for/end-of-support-systems.html">
	End-of-Support Systems
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-compliance" href="/en_gb/business/capabilities/solutions-for/compliance.html">
	Compliance
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-detection-response" href="/en_gb/business/products/detection-response.html">
	Detection and Response
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-solutions-industries">Industries</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-healthcare" href="/en_gb/business/capabilities/solutions-for/healthcare.html">
	Healthcare
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-solutions-manufacturing" href="/en_gb/business/solutions/iot/smart-factory.html">
	Manufacturing
	
</a>

</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Why Trend Micro
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-2" aria-haspopup="true" aria-expanded="false">
						Why Trend Micro
					</button>
					<div class="dropdown-menu" id="nav-dropdown-2">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-e6b63178-5961-4e76-9e70-5568b8b97bbc {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-e6b63178-5961-4e76-9e70-5568b8b97bbc">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-why-trend" href="/en_gb/about/why-trend-micro.html">The Trend Micro Difference</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-01837bb9-ec91-47dd-a193-667ff99a9aad">
	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-customer-successes" href="/en_gb/about/customer-stories.html">
	Customer Successes
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-strategic-alliances" href="/en_gb/partners/explore-alliance-partners.html">
	Strategic Alliances
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-why-industry-leadership" href="/en_gb/about/awards.html">
	Industry Leadership
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Research
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-3" aria-haspopup="true" aria-expanded="false">
						Research
					</button>
					<div class="dropdown-menu" id="nav-dropdown-3">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-5d526ea9-f42e-462b-83c7-9efe59131747 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-5d526ea9-f42e-462b-83c7-9efe59131747">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-full show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Research</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-c093c647-8f19-47e1-a47a-73bb1005204c">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-about" href="/en_gb/about/threat-research.html">
	About Our Research
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-analysis" href="https://www.trendmicro.com/vinfo/gb/security/research-and-analysis/">
	Research and Analysis
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-news-perspectives" href="/en_gb/research.html">
	Research, News and Perspectives
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-sec-reports" href="https://www.trendmicro.com/vinfo/gb/security/research-and-analysis/threat-reports">
	Security Reports
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-security-news" href="http://www.trendmicro.com/vinfo/gb/security/news/">
	Security News
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-research-zero-day-initiative" href="https://www.zerodayinitiative.com/about/" rel="noopener noreferrer" target="_blank">
	Zero Day Initiative (ZDI)
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-simply-security-blog" href="/en_gb/research.html">
	Blog
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Research by Topic</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-vulnerabilities" href="https://www.trendmicro.com/vinfo/gb/threat-encyclopedia/vulnerability">
	Vulnerabilities
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-annual-predictions-21" href="https://www.trendmicro.com/vinfo/gb/security/research-and-analysis/predictions/2021">
	Annual Predictions
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-deep-web" href="https://www.trendmicro.com/vinfo/gb/security/threat-intelligence-center/deep-web/">
	The Deep Web
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-topics-iot" href="https://www.trendmicro.com/vinfo/gb/security/threat-intelligence-center/internet-of-things/">
	Internet of Things (IoT)
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Resources</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-45006e1b-a268-4a52-980b-aea7a492d0ea">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-devops" href="/en_gb/devops.html">
	DevOps Resource Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-ciso-center" href="/en_gb/ciso.html">
	CISO Resource Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-what-is" href="/en_gb/what-is.html">
	What is?
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-encyclopedia" href="https://www.trendmicro.com/vinfo/gb/threat-encyclopedia/">
	Threat Encyclopedia
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-cloud-health" href="http://trendmicro.com/public-cloud-risk-assessment" rel="noopener noreferrer" target="_blank">
	Cloud Health Assessment
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-cyber-risk" href="/en_gb/security-intelligence/breaking-news/cyber-risk-index.html">
	Cyber Risk Assessment
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-enterprise-guide" href="https://www.trendmicro.com/vinfo/gb/security/threat-intelligence-center/security-strategies-for-enterprises">
	Enterprise Guides
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-research-resources-glossary" href="https://www.trendmicro.com/vinfo/gb/security/definition/a">
	Glossary of Terms
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>
<div class="featuredCampaign">
<div class="featured-campaign">
	<!--Media Container-->
	<div class="featured-campaign--media-container">
		<!--Featured Title-->
		<h5 class="featured-campaign--title title-color-red">Project 2030</h5>

		<!--Feature Image-->
		<figure class="featured-campaign--image-container">
			<a id="b-nav-research-promo-2030-64514d-img" target="_blank" href="https://2030.trendmicro.com">
				<img src="/content/dam/trendmicro/global/en/global/navigation/project-2030-nav-banner.jpg" alt="Project 2030"/>
			</a>
		</figure>
	</div>
	<!--Text Container-->
	<div class="featured-campaign--text-container">
		<!--RTE-->
		<div class="featured-campaign--rich-text richText">


	<p>How will the world of cybersecurity evolve by 2030?</p>
<p>Let’s take a look at what the future holds. </p>


</div>

		<!--Featured Link-->
		<div class="featured-campaign--link">
			<a id="b-nav-research-promo-2030-64514d" target="_blank" href="https://2030.trendmicro.com">
				Explore our expert video series
				<!--Link Icon (Chevron Right)-->
				<span class="icon-chevron-right"></span>
			</a>
		</div>
	</div>
</div>
</div>
</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Services &amp; Support
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-4" aria-haspopup="true" aria-expanded="false">
						Services &amp; Support
					</button>
					<div class="dropdown-menu" id="nav-dropdown-4">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-d78e2638-1f2c-45c1-bb7b-cf7d4269dae2 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-d78e2638-1f2c-45c1-bb7b-cf7d4269dae2">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align-content show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red">Services</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-service-one" href="/en_gb/business/services/service-one.html">
	Service Packages
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-managed-xdr" href="/en_gb/business/services/managed-xdr.html">
	Managed XDR
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-services-support-services" href="/en_gb/business/services/support-services.html">
	Support Services
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray" id="b-nav-support-business-support" href="https://success.trendmicro.com/business-support" rel="noopener noreferrer" target="_blank">Business Support</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-e5e8cee9-6cf6-431a-8f61-7857a4a7ea4d">
	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-log-in" href="https://success.trendmicro.com/sign-in" rel="noopener noreferrer" target="_blank">
	Log In to Support
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-tech-support" href="https://success.trendmicro.com/technical-support" rel="noopener noreferrer" target="_blank">
	Technical Support
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-virus-threat-help" href="https://success.trendmicro.com/virus-and-threat-help" rel="noopener noreferrer" target="_blank">
	Virus &amp; Threat Help
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-support-renewals-registration" href="https://success.trendmicro.com/renewals-and-registration" rel="noopener noreferrer" target="_blank">
	Renewals &amp; Registration
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-education-certification" href="https://www.trendmicro.com/en_gb/business/products/support-services/education.html" rel="noopener noreferrer" target="_blank">
	Education &amp; Certification
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-contact-support" href="https://success.trendmicro.com/contact-support-europe" rel="noopener noreferrer" target="_blank">
	Contact Support
	
</a>

</div>

</div>

	<div class="col-sm-4 col-xs-12 col-md-4 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-downloads" href="/en_gb/business/products/downloads.html">
	Downloads
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-free-cleanup-tools" href="https://success.trendmicro.com/virus-and-threat-help#threat-removal" rel="noopener noreferrer" target="_blank">
	Free Cleanup Tools
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-find-support-partner" href="/en_gb/partners/find-a-partner.html">
	Find a Support Partner
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red">For Popular Products</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-b83bfbb1-7770-4366-a5b2-70e55c09209e">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-support-deep-security" href="https://success.trendmicro.com/product-support/deep-security-10-0" rel="noopener noreferrer" target="_blank">
	Deep Security
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-support-apex-one" href="https://success.trendmicro.com/product-support/apex-one" rel="noopener noreferrer" target="_blank">
	Apex One
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-worry-free" href="https://success.trendmicro.com/product-support/worry-free-business-security" rel="noopener noreferrer" target="_blank">
	Worry-Free
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-support-worry-free-renewals" href="https://orp.trendmicro.com/EMEAORP" rel="noopener noreferrer" target="_blank">
	Worry-Free Renewals
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Partners
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-5" aria-haspopup="true" aria-expanded="false">
						Partners
					</button>
					<div class="dropdown-menu" id="nav-dropdown-5">
						<div class="responsiveColumnControl section">





<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-5d5557b4-ce9a-4b07-be86-edddae0ea53e">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="gray left-align-content show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Channel Partners </a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-a717992f-a238-4c1c-9161-0493b04610b7">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-overview" href="/en_gb/partners/channel-partners.html">
	Channel Partner Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-managed" href="/en_gb/partners/managed-service-provider/europe/resource-center.html">
	Managed Service Provider
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-cloud" href="/en_gb/partners/channel-partners/cloud-service-provider.html">
	Cloud Service Provider
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-professional" href="/en_gb/partners/channel-partners/professional-services-partner.html">
	Professional Services
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-resellers" href="/en_gb/partners/channel-partners/resellers.html">
	Resellers
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-marketplace" href="/en_gb/partners/channel-partners/marketplace.html">
	Marketplace
	
</a>

</div>
<div class="ghost section">

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-channel-system" href="/en_gb/partners/channel-partners/systems-integrator.html">
	System Integrators
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Alliance Partners</a>
</div>
		<div class="parsys navColumnItems"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-overview" href="/en_gb/partners/alliance-partners.html">
	Alliance Overview
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-technical" href="/en_gb/partners/alliance-partners/technology.html">
	Technology Alliance Partners
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-alliance-explore" href="/en_gb/partners/alliance-partners/explore-alliance-partners.html">
	Our Alliance Partners
	
</a>

</div>

</div>
	</div>

	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-gray">Tools and Resources</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-9ff2728e-07cc-49b2-9c35-1154ff9a07fc">
	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-find" href="/en_gb/partners/find-a-partner.html">
	Find a Partner
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-education" href="/en_gb/business/products/support-services/education.html">
	Education and Certification
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partner-tools-stories" href="/en_gb/partners/partner-stories.html">
	Partner Successes
	
</a>

</div>

</div>

	<div class="col-sm-6 col-xs-12 col-md-6 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-distributors" href="/en_gb/partners/distributors.html">
	Distributors
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-partners-tools-login" href="https://community-trendmicro.force.com/Partner" rel="noopener noreferrer" target="_blank">
	Partner Login
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
			<div class="dropdown">
				
				
				
					<button class="menu-toggle hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
						Company
					</button>
					<button class="menu-toggle hidden-md hidden-lg" type="button" data-toggle="collapse" data-target="#nav-dropdown-6" aria-haspopup="true" aria-expanded="false">
						Company
					</button>
					<div class="dropdown-menu" id="nav-dropdown-6">
						<div class="responsiveColumnControl section">

<style>>
#responsive-column-eda86337-ccee-46dc-8fc2-b0d75cffbab4 {
	margin-top:0;
	padding-top:0;
	padding-bottom:0;
	margin-bottom:40px;
}
</style>



<div class="row
			
			null global-margin-top- global-padding-top- global-padding-bottom- global-margin-bottom-" id="responsive-column-eda86337-ccee-46dc-8fc2-b0d75cffbab4">
	<div class="col-sm-12 col-xs-12 col-md-12 column"><div class="navCategory section">
<div class="white left-align show-dividers columns-container">
	<div class="column">
		<div class="navColumnTitle">
<a class="title title-color-red" id="b-nav-company-overview" href="/en_gb/about.html">Overview</a>
</div>
		<div class="parsys navColumnItems"><div class="responsiveColumnControl section">





<div class="row
			
			global-margin-top-default global-padding-top-default global-padding-bottom-default global-margin-bottom-default" id="responsive-column-56bd37d4-e94b-4334-bc2f-f2ddb5d0b682">
	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-company-leadership" href="/en_gb/about/leaders.html">
	Leadership
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-customer-success" href="/en_gb/about/customer-stories.html">
	Customer Success Stories
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-alliance-partners" href="/en_gb/partners/alliance-partners.html">
	Strategic Alliances
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-industry-accolades" href="/en_gb/about/industry-recognition.html">
	Industry Accolades
	
</a>

</div>

</div>

	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-newsroom" href="/en_gb/about/newsroom.html">
	Newsroom
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-webinars" href="/en_gb/about/webinars.html">
	Webinars
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-events" href="/en_gb/about/events.html">
	Events
	
</a>

</div>

</div>

	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-" id="b-nav-company-security-experts" href="/en_gb/about/leading-experts.html">
	Security Experts
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-careers" href="/en_gb/about/careers.html">
	Careers
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-history" href="/en_gb/about/history-vision-values.html">
	History
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-corp-social-responsibility" href="/en_gb/about/corporate-social-responsibility.html">
	Corporate Social Responsibility
	
</a>

</div>

</div>

	<div class="col-sm-3 col-xs-12 col-md-3 column"><div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-diversity-inclusion" href="/en_gb/about/diversity-inclusion.html">
	Diversity, Equity &amp; Inclusion
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-trust-center" href="/en_gb/about/trust-center.html">
	Trust Center
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-" id="b-nav-company-internet-safety-cyber-ed" href="/en_gb/initiative-education.html">
	Internet Safety and Cybersecurity Education
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-investors" href="/en_us/about/investor-relations.html">
	Investors
	
</a>

</div>
<div class="navLink section">
<a class=" text-color-gray" id="b-nav-company-legal" href="/en_gb/about/legal.html">
	Legal
	
</a>

</div>

</div>
</div>
</div>

</div>
	</div>
</div>

</div>

</div>
</div>
</div>


					</div>
				
			</div>
		
		
		<div class="dropdown search-dropdown">
			<button class="search-button hidden-xs hidden-sm" type="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
				<span class="icon-search-thin"></span>
			</button>
			<div class="dropdown-menu utility-search-target">
				<script type="text/javascript" src="//customer.cludo.com/scripts/bundles/search-script.js"></script>
				<script type="text/javascript">
					var CludoSearch;
					var cludo_language = '';

					switch( window.utag_data.language_code )
					{
						// Cludo dropped the ball on this one
						case 'ja_jp':
							cludo_language = 'jp';
							break;
						case 'in_id':
							cludo_language = 'id';
							break;
						default:
							cludo_language = window.utag_data.language_code.substring( 0, 2 ); // First two letters are the language
							break;
					}

					$(document).ready( function() {
						var cludoSettings = {
							customerId: 296,
							engineId: 9103,
							searchUrl: "/en_gb/common/cse.html",
							searchInputs: ["cludo-search-form","cludo-search-form-mobile","cludo-search-content-form"],
							initSearchBoxText: "",
							language: cludo_language,
							endlessScroll: {stopAfterPage:3, resultsPerPage:10, bottomOffset: 145},
							translateSearchTemplates: true,
							loading: "<div class='loader'></div>"
						};

						CludoSearch= new Cludo(cludoSettings);

						CludoSearch.translateProvider.translations[cludo_language]["category_header"] = Granite.I18n.get( "Show" );
						CludoSearch.translateProvider.translations[cludo_language]["your_search_on"] = Granite.I18n.get( "Showing results for" ) + " <span class='highlight'>{{value}}</span> ";
						CludoSearch.translateProvider.translations[cludo_language]["total_results"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["total_result"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["in_category"] = "";
						CludoSearch.translateProvider.translations[cludo_language]["results"] = Granite.I18n.get( "results" );
						CludoSearch.translateProvider.translations[cludo_language]["sort_by"] = Granite.I18n.get( "Sort By" ) + ":";
						CludoSearch.translateProvider.translations[cludo_language]["date"] = Granite.I18n.get( "Date" );
						CludoSearch.translateProvider.translations[cludo_language]["relevance"] = Granite.I18n.get( "Relevance" );
						CludoSearch.translateProvider.translations[cludo_language]["all_results"] = Granite.I18n.get( "All results" );

						CludoSearch.init();
					});
				</script>
				<form class="main-menu-search" aria-label="Search Trend Micro">
					<div class="main-menu-search__field-wrapper" id="cludo-search-form">
						<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
							<tbody>
								<tr>
									<td class="gsc-input">
										<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro"/>
									</td>
								</tr>
							</tbody>
						</table>
					</div>
				</form>
				<button type="button" class="close" aria-label="Close"><span aria-hidden="true">&times;</span></button>
			</div>
		</div>
		<div class="utilityMenu utilityMenu-mobile hidden visible-xs visible-sm">
			<nav class="utilityMenu__wrapper" id="utilityMenu-mobile-wrapper"></nav>
			<div class="collapse-items-container"></div>
		</div>
	</div>
	<div class="search-mobile-wrapper collapse dont-collapse-flex-md hidden-md hidden-lg" id="search-mobile-wrapper">
		<form class="main-menu-search" aria-label="Search Trend Micro">
			<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
				<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
					<tbody>
						<tr>
							<td class="gsc-input">
								<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro"/>
							</td>
							<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
								<span class="icon-close"></span>
							</td>
						</tr>
					</tbody>
				</table>
			</div>
		</form>
	</div>
</div>

</nav>
			</div>
		</div>
		<!-- Sticky Nav -->
		<div class="stickyNav">


<div class="page-nav-wrapper">
	<div class="inner-wrapper">
		<!-- Sticky Nav - Article and Author Pages -->
		
    <!-- Page Properties Container -->
    <div class="page-properties-container">
        <div class="back-caret">
            <a href="https://www.trendmicro.com/en_gb/research.html">
                <span class="icon-chevron-left"></span>
            </a>
        </div>
        <div class="display-tag">
            
                <a href="https://www.trendmicro.com/en_gb/research.html?category=trend-micro-research:threats/ransomware">Ransomware</a>
            
        </div>
        <div class="page-title">Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions</div>
    </div>

    <!-- AddThis Container -->
    <div class="addthis_toolbox addthis_default_style">
        <a class="addthis_button_compact addthis_link" href="#">
            <img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/share-more.svg" class="addthis-icon" alt="Share"/>
        </a>
        <a class="addthis_button_print addthis_link" title="Print" href="#" tabindex="1000">
            <img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/printer.svg" class="addthis-icon" alt="Print"/>
        </a>
        <div class="atclear"></div>
    </div>

    <!-- Subscribe Container -->
    <div class="subscribe">
        
    </div>

	</div>
</div>
</div>
	</div>
	<section class="folder-indicators slider">
		<div class="folder-indicators__wrapper">
			<p class="folder-indicators__title">Content added to Folio</p>
			<div class="folder-indicators__button-wrapper">
				<button class="folder-indicators__button counter" id="counter-folder">
					Folio (<span>0</span>)
				</button>
				<button class="folder-indicators__button close">close</button>
			</div>
		</div>
	</section>
</div>
</div>
<div class="root responsivegrid">


<div class="aem-Grid aem-Grid--12 aem-Grid--default--12 ">
    
    <div class="articleBodyNoHero aem-GridColumn aem-GridColumn--default--12"><div class="research-layout article container" role="contentinfo">
    <article class="research-layout--wrapper row" data-article-pageID="1392333950">
        <div class="col-xs-12 col-md-12 one-column">
            <div class="col-xs-12 col-md-12">
                <div class="article-details" role="heading">
	<span class="article-details__bar" role="img"></span>
	<p class="article-details__display-tag">Ransomware</p>
	<h1 class="article-details__title">Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions</h1>
	<p class="article-details__description">We investigate how certain hacking tools are used to move laterally on victims’ networks to deploy ransomware. These tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors, and more. In this blog, we focus on analyzing the worm and ransomware script. </p>
	<p class="article-details__author-by">By: Aliakbar Zahravi
		
			<time class="article-details__date">June 17, 2021</time>
		
		
		<span>Read time:&nbsp;</span><span class="eta"></span> (<span class="words"></span> words)
	</p>

	<div class="article-details__icons">
		<!--Add This-->
		<!-- Go to www.addthis.com/dashboard to customize your tools -->
<div class="addthis_toolbox addthis_default_style">
	<a class="addthis_button_compact addthis_link">
		<img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/share-more.svg" class="addthis-icon" alt="Share"/>
	</a>
	<a class="addthis_button_print addthis_link">
		<img src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch/resources/img/printer.svg" class="addthis-icon" alt="Print"/>
	</a>
</div>

		<!--Add to Folio-->
		<div class="add-to-folio tooltip">
			<span class="icon-folio-thin"></span>
			<div class="right">
				<p>Save to Folio</p>
				<i></i>
			</div>
		</div>

		<!--Subscribe-->
		<div class="subscribe">
			
		</div>
	</div>
</div>

            </div>
        </div>
		
		<hr class="research-layout-divider"/>

        <main class="main--content col-xs-12 col-md-8 col-md-push-2">
            <div>
	
    


	

</div>
            <div class="richText">
	
    


	
		<div>
			<p>A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some scripts Debian-based Linux distributions are included as well. The worm and ransomware scripts also use the API of the messaging application Telegram for command-and-control (C&amp;C) communication. We also found that most components of this attack have very low detection numbers in Virus Total. The hack tools URL with the ransomware information was initially reported by Twitter user <a href="https://twitter.com/r3dbu7z?lang=en" target="_blank">@r3dbU7z</a>. </p>
<p>In the next sections of this blog, we analyze the content of the “api_attack/” directory, which contains the Secure Shell (SSH) worm and ransomware script.<br />
</p>
<p><span class="body-subhead-title">Attack preview</span></p>
<p>The following is a list and overview of the hacking tools. We’ve observed that some of these scripts are based on open-source code. For example, binaryinject1.so is a modified version of a rootkit called “<a href="https://github.com/gianlucaborello/libprocesshider" target="_blank">libprocesshider</a>” that hides a process under Linux using the ld preloader and “pwd.c” (“CVE-2017-1000253.c”), which is a publicly available exploit for CentOS 7 kernel versions 3.10.0-514.21.2.el7.x86_64 and 3.10.0-514.26.1.el7.x86_64. </p>

		</div>
	

</div>
            <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%201-DarkRad-hacktools.png" alt="Figure 1. Threat actor’s hack tools directory"/>
		
   		<figcaption>Figure 1. Threat actor’s hack tools directory</figcaption>
	</figure>

</div>
            <div>




    
    
    <div class="richText">
	
    


	
		<div>
			<p>Among all these tools, the content of “api_attack/” grabbed our attention. The “api_attack” directory contains the various versions of the Bash ransomware that we named DarkRadiation, as well as the SSH worm that is responsible for spreading this ransomware. The “Supermicro_cr_third” script in this directory seems to be the most complete version of the ransomware. This script is obfuscated with an open-source tool called “node-bash-obfuscate”, which is a Node.js CLI tool and library to obfuscate bash scripts.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%202a-DarkRad-hacktools-api.png" alt="Figure 2. Threat actor’s hack tools directory for /api_attack"/>
		
   		<figcaption>Figure 2. Threat actor’s hack tools directory for /api_attack</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%203a-DarkRad-hosting%20directory.png" alt="Figure 3. Threat actor’s malware hosting directory"/>
		
   		<figcaption>Figure 3. Threat actor’s malware hosting directory</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>Most scripts in this directory have zero detections in Virus Total:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%204-DarkRad-VT%20results.png" alt="Figure 4. Virus Total results"/>
		
   		<figcaption>Figure 4. Virus Total results</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p><span class="body-subhead-title">Malware analysis</span></p>
<p>In this section, we take a closer look at worm and ransomware scripts.<br />
</p>
<p><b>SSH Worm</b><br />
</p>
<p>The “downloader.sh” is an SSH worm that accepts base64-encoded configuration credentials as an argument. These credentials would either be dumped by the attacker after the initial foothold on a victim’s systems or used as a brute-force list that targets systems with weak password protection. Essentially, the malware checks if the given configuration is set to use an SSH password attack or an SSH key base attack — it can also test SSH passwords or SSH keys against the targeted IP address. Upon successful connection, the malware downloads and executes ransomware on a remote system. The following is a format credential input to the script after decoding: <br />
</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%204a-DarkRad-credinput.png" alt="DarkRad credential input to the script after decoding"/>
		
   		
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The following code snippet demonstrates this behavior of the malware:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%205-DarkRad-worm%20entry.png" alt="Figure 5. Worm entry function"/>
		
   		<figcaption>Figure 5. Worm entry function</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The check_ssh_connection function returns code:0 for a successful connection, code:254 for the ping error, and code:255 for SSH connection error both with password and key. The malware uses the sshpass utility to use non-interactive SSH password authentication.</p>
<p>In the case of SSH inline password, the malware sets sshpass parameter “passwordauthentication=yes”. It stores the ransomware script in the “/usr/share/man/man8/” directory and executes it. To keep the process running in case the SSH session is terminated, the malware uses screen session and nohup command.<br />
</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%206-DarkRad-worm%20recon.png" alt="Figure 6. Worm reconnaissance and spreading functionality"/>
		
   		<figcaption>Figure 6. Worm reconnaissance and spreading functionality</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The malware obtains an encryption password ($crypt_pass) via an API call to its C&amp;C server and passes it to the supermicro_cr.gz script.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%207-DarkRad-encryptkey.png" alt="Figure 7. Request for encryption key"/>
		
   		<figcaption>Figure 7. Request for encryption key</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The malware has an install_tools function to download and install necessary utilities on an infected system in case they are not already installed. Based on this function, we can see that the worm only downloads and installs prerequisite packages for CentOS- or RHEL-based Linux distribution because it uses only the Yellowdog Updater, Modified (YUM) package manager. Some other hacking tools as well as the DarkRadiation ransomware variants use only YUM to download and install prerequisite packages.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%208-DarkRad-packageinstall.png" alt="Figure 8. Prerequisite package installation"/>
		
   		<figcaption>Figure 8. Prerequisite package installation</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>Finally, the malware reports the scanning/spreading result to the attacker via Telegram’s API:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%209-DarkRad-Telegram.png" alt="Figure 9. The malware sends execution status to the attacker&#39;s Telegram channel."/>
		
   		<figcaption>Figure 9. The malware sends execution status to the attacker&#39;s Telegram channel.</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p><b>The DarkRadiation Ransomware</b></p>
<p>In the previous section, we talked about the SSH worm script that received the credential configuration as a base64 parameter and used it against target systems to download and execute the ransomware. <br />
</p>
<p>Looking at various iterations of the ransomware in this section, we investigate the script called “supermicro_cr_third”, which seems like the latest version. The ransomware is written in bash script and targets Red Hat/CentOS and Debian Linux distributions. The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s). <br />
</p>
<p>We observed that this script is heavily under development, and various versions of this ransomware are all similar with only minor changes. Some functions are commented by the malware author, while some functions are not used (dead code) in some cases. In this section, we discuss the details of how this ransomware works.<br />
</p>
<p>The script is obfuscated with an open-source tool called “<a href="https://github.com/willshiao/node-bash-obfuscate" target="_blank">node-bash-obfuscate</a>,” which is a Node.js CLI tool and library to obfuscate bash scripts. This tool divides the bash script into chunks and then assigns a variable name to each chunk and replaces the original script with variable references, essentially scrambling the original script.<br />
</p>
<p>The following code snippet demonstrates the use of this script to obfuscate a bash script:<br />
</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2010-DarkRad-bashobfuscate.png" alt="Figure 10. node-bash-obfuscate options"/>
		
   		<figcaption>Figure 10. node-bash-obfuscate options</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2011-DarkRad-nodesample.png" alt="Figure 11. node-bash-obfuscate sample output"/>
		
   		<figcaption>Figure 11. node-bash-obfuscate sample output</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>supermicro_cr_third analysis:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2012-DarkRad-supermicro.png" alt="Figure 12. A supermicro_cr_third obfuscated script"/>
		
   		<figcaption>Figure 12. A supermicro_cr_third obfuscated script</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>Upon execution, the malware checks if it executed as root; if it did not, it displays “Please run as root” message, removes itself, and exits.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2013-DarkRad-supermicrothree.png" alt="Figure 13. supermicro_cr_third main function"/>
		
   		<figcaption>Figure 13. supermicro_cr_third main function</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2014-DarkRad-scriptroot.png" alt="Figure 14. Checking if script run as root"/>
		
   		<figcaption>Figure 14. Checking if script run as root</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>It then checks if curl and OpenSSL are installed; if they are not, the malware then downloads and installs them.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2015-DarkRad-packinstall.png" alt="Figure 15.  A prerequisite package installation in another version"/>
		
   		<figcaption>Figure 15.  A prerequisite package installation in another version</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2016-DarkRad-prereqpackage.png" alt="Figure 16. A prerequisite package installation in supermicro_cr_third"/>
		
   		<figcaption>Figure 16. A prerequisite package installation in supermicro_cr_third</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The bot_who function is a bash script that takes a snapshot of the users that are currently logged into a Unix computer system using the “who” command. It stores the result in a hidden file called (“/tmp/.ccw”). Afterward, every five seconds it again executes the “who” command and checks the output “.ccw” file. If they are not equal (new user logging in), the malware sends a message to the attacker via Telegram’s API:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2017-DarkRad-supermicro-bt.png" alt="Figure 17. supermicro_bt script"/>
		
   		<figcaption>Figure 17. supermicro_bt script</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>Before the encryption process, the ransomware retrieves a list of all available users on an infected system by querying the &quot;/etc/shadow&quot; file. It overwrites all existing user passwords with “megapassword” and deletes all existing users except “ferrum.” After that, the malware creates a new user from its configuration section with username “ferrum” and password “MegPw0rD3”. It executes &quot;usermod --shell /bin/nologin&quot; command to disable all existing shell users on an infected system:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2018-DarkRad-supermicro-config.png" alt="Figure 18. supermicro_cr_third configuration"/>
		
   		<figcaption>Figure 18. supermicro_cr_third configuration</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2019-DarkRad-changeuserfunc.png" alt="Figure 19. user_change function in supermicro_cr_third"/>
		
   		<figcaption>Figure 19. user_change function in supermicro_cr_third</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>Some ransomware variants attempt to delete all existing users except username “ferrum” and “root”:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2020-DarkRad-userchangefunc.png" alt="Figure 20. user_change function in crypt3.sh)"/>
		
   		<figcaption>Figure 20. user_change function in crypt3.sh)</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>It also checks if “0.txt” exists in the C&amp;C server. If it does not exist, the malware does not execute the encryption process and sleeps for 60 seconds, after which it tries again. It must be noted that wget will be invoked with “--spider” option to just check if “0.txt” exists in the given URL.</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2021-DarkRad-loopTelegram.png" alt="Figure 21. loop_wget_telegram function"/>
		
   		<figcaption>Figure 21. loop_wget_telegram function</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2022-DarkRad-checkattack.png" alt="Figure 22. “/check_attack” directory"/>
		
   		<figcaption>Figure 22. “/check_attack” directory</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>For encryption, the ransomware uses OpenSSL’s AES algorithm in CBC mode. The malware gets an encryption password through the command-line argument passed by the worm script:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2023-DarkRad-supermicro-threeconfig.png" alt="Figure 23. supermicro_cr_third key configuration"/>
		
   		<figcaption>Figure 23. supermicro_cr_third key configuration</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>It is important to note that the encryption path can be different in other versions. Super_micro_third uses a separated script called (crypt_file.sh) for file encryption. However, other variants such as supermicro_cr do the file encryption by themselves. Also, it must be noted that the ransomware appends radioactive symbols (“☢”) as a file extension for an encrypted file. </p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2024-DarkRad-supermicro-encrypt.png" alt="Figure 24. super_micro_third encryption process"/>
		
   		<figcaption>Figure 24. super_micro_third encryption process</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2025-DarkRad-supermicro-encryfunc.png" alt="Figure 25. supermicro_cr encryption function"/>
		
   		<figcaption>Figure 25. supermicro_cr encryption function</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The malware sends the encryption status to the attacker via Telegram’s API:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2026-DarkRad-Teleconfig.png" alt="Figure 26. Telegram configuration"/>
		
   		<figcaption>Figure 26. Telegram configuration</figcaption>
	</figure>

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2026b-DarkRad-config.png" alt="DarkRad- Telegram configuration 2"/>
		
   		
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div>
			<p>The malware also stops and disables all running Docker containers on an infected system and creates a ransom note:</p>

		</div>
	

</div>


    
    
    <div class="image">
	
    


	<figure class="image-figure">
		
			<img src="/content/dam/trendmicro/global/en/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions/Figure%2027-DarkRad-DR-ransomnote.png" alt="Figure 27. Ransom note"/>
		
   		<figcaption>Figure 27. Ransom note</figcaption>
	</figure>

</div>


    
    
    <div class="richText">
	
    


	
		<div class="responsive-table-wrap">
			<p><span class="body-subhead-title">Conclusion</span></p>
<p>Overall, an adversary uses a variety of hacking tools to move laterally on victims’ networks to deploy ransomware. These hacking tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors (<a href="https://github.com/gianlucaborello/libprocesshider" target="_blank">libprocesshider</a> rootkit), and more. However, most of the tools have very low detection numbers in Virus Total. It seems that some of the scripts are still in the development phase. <br />
</p>
<p>There were other notable elements as well. The worm and ransomware scripts are able to communicate with the attacker via Telegram API and directly access the C&amp;C server. The ransomware can delete all users on an infected system (although in some variants it keeps the root user) and can create an account only for the attacker. As for file encryption, the ransomware uses OpenSSL’s AES algorithm to encrypt either the file with specific extensions or all files at the given directory. <br />
</p>
<p>In this blog, we focused on analyzing the worm and supermicro_tr_third ransomware script. We found that the ransomware was obfuscated with an open-source tool called &quot;node-bash-obfuscate,&quot; which is a Node.js CLI tool and library to obfuscate bash scripts. Hopefully, this can help with detection in case the attacker comes up with other ransomware variants using the same tool.<br />
</p>
<p>Trend Micro has a multilayered cybersecurity platform that can help improve an organization’s detection and response against the latest ransomware attacks and improve security teams’ visibility. Visit the <a href="/en_gb/business/products/detection-response.html">Trend Micro Vision One™</a> website for more information.</p>
<p> </p>
<p><span class="body-subhead-title">Indicators of Compromise (IOCs)</span></p>
<table cellpadding="1" cellspacing="0" border="1" width="100%">
<tbody><tr><td><b>Sha256</b></td>
<td><b>Script name</b></td>
<td><b>Trend Micro Detection Name</b></td>
</tr><tr><td>d0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810</td>
<td>supermicro_cr</td>
<td>Ransom.SH.DARKRADIATION.A</td>
</tr><tr><td>652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd</td>
<td>supermicro_bt</td>
<td>Trojan.SH.DARKRADIATION.A</td>
</tr><tr><td>9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11</td>
<td>supermicro_cr_third (obfuscated)</td>
<td>Ransom.SH.DARKRADIATION.A</td>
</tr><tr><td>654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a</td>
<td>supermicro_cr_third (deobfuscated)</td>
<td>Ransom.SH.DARKRADIATION.D</td>
</tr><tr><td>79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1</td>
<td>test.sh</td>
<td>Trojan.SH.DARKRADIATION.A</td>
</tr><tr><td>da68dc9d5571ef4729adda86f5a21d3f4478ddbae2de937f34f57f450d8a3c76</td>
<td>downloader.sh.save</td>
<td>Trojan.SH.DARKRADIATION.A</td>
</tr><tr><td>3bab2947305c00df66cb4d6aaef006f10aca348c17aa2fd28e53363a08b7ec68</td>
<td>downloader.sh</td>
<td>Trojan.SH.DARKRADIATION.A</td>
</tr><tr><td>0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5</td>
<td>crypt3.sh</td>
<td>Trojan.SH.DARKRADIATION.A</td>
</tr><tr><td>e380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842</td>
<td>crypt2_first.sh</td>
<td>Ransom.SH.DARKRADIATION.A</td>
</tr><tr><td>fdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd</td>
<td>bt_install.sh</td>
<td>Trojan.SH.DARKRADIATION.A</td>
</tr><tr><td>7a15e51e5dc6a9bfe0104f731e7def854abca5154317198dad73f32e1aead740</td>
<td>binaryinject1.so</td>
<td>Trojan.Linux.PROCHIDER.AA</td>
</tr><tr><td>c869261902a1364dd3decb2f8dce54b81621f20abd7204a427a3365c8dcc9d78</td>
<td>exploit4.py</td>
<td>Trojan.SH.EXPLOADER.AA</td>
</tr><tr><td>503276929ce5c56c626eaa5c3aca0e0160743bf3c8d415042dc3f9bb8c8b44a2</td>
<td>exploit3.py</td>
<td>Trojan.SH.EXPLOADER.AA</td>
</tr><tr><td>847d0057ade1d6ca0fedc5f48e76dd076fa4611deb77c490899f49701e87b6dd</td>
<td>exploit1.py</td>
<td>Trojan.SH.EXPLOADER.AA</td>
</tr><tr><td>14584a716c5378405cba188dd60cec03571965329f52cfbd8c54116fa2d59377</td>
<td>pwd.c</td>
<td> </td>
</tr></tbody></table>
<p><span class="body-subhead-title">C&amp;C Server IOCs</span></p>
<ul>
<li><span class="rte-red-bullet">Malware command and control server: 185[.]141[.]25[.]168</span></li>
<li><span class="rte-red-bullet">Hack tools directory:  hxxps[://]u2wgg22a111ssy[.]space</span></li>
<li><span class="rte-red-bullet">Hack tools directory: hxxps[://]www[.]0zr33n33fo[.]space</span></li>
<li><span class="rte-red-bullet">Hack tools directory: hxxp[://]vk-o2vox-n[.]pp[.]ua</span></li>
<li><span class="rte-red-bullet">Hack tools directory: hxxps[://]m0troppm[.]site</span></li>
<li><span class="rte-red-bullet">Hack tools directory: hxxps[://]apooow4[.]space</span></li>
<li><span class="rte-red-bullet">Hack tools directory: hxxps[://]ga345ss34u[.]space</span></li>
</ul>

		</div>
	

</div>


</div>
            <section class="tag--list">
	<div class="tag--list-title">Tags</div>
	<div class="tag--list-tags">
		<a href="/en_gb/research.html?category=trend-micro-research:environments/endpoints" class="tag--list-anchor">Endpoints</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_gb/research.html?category=trend-micro-research:threats/ransomware" class="tag--list-anchor">Ransomware</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_gb/research.html?category=trend-micro-research:article-type/research" class="tag--list-anchor">Research</a>
		
			<span class="tag--list-separator" role="separator">|</span>
		
	
		<a href="/en_gb/research.html?category=trend-micro-research:medium/article" class="tag--list-anchor">Articles, News, Reports</a>
		
	</div>
</section>

        </main>

        <sidebar class="sidebar--left col-xs-12 col-md-2 col-md-pull-8">
            


<h3 class="article-authors__title">
	
		Authors
	
</h3>

<!-- /* Show Trend Micro if we don't have any authors for this article */ -->


<ul class="article-authors__list">
	<li class="article-authors__list-items">
		
		<div class="article-authors__wrapper" role="contentinfo authors profile">
			
			
				<p class="article-authors__list-items__name">Aliakbar Zahravi</p>
			
			<p class="article-authors__list-items__position">Threat Researcher</p>
		</div>
	</li>
</ul>

<div class="article-authors__btn-wrapper" role="button">
	<a class="article-authors__button " href="mailto:tm_research@trendmicro.com" target="target" id="article-authors-contact-us-button">
		Contact Us
	</a>
</div>


	

    

        </sidebar>

        <sidebar class="sidebar--right col-xs-12 col-md-2">
            <div class="sidebar--wrapper" role="contentinfo sidebar">
                <div class="row-1" role="contentinfo related articles">
                    
	
    


	<div class="related--articles" role="contentinfo related articles">
		<h3 class="related--articles-title">Related Articles</h3>
		 <ul class="related--articles-items">
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_gb/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html">
					Examining Log4j Vulnerabilities in Connected Cars and Charging Stations
				</a> 
			</li>
		
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_gb/research/21/l/patch-now-apache-log4j-vulnerability-called-log4shell-being-acti.html">
					Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited
				</a> 
			</li>
		
			<li class="related--articles-item">
				<a class="related--articles-item-anchor" href="/en_gb/research/21/l/log4j.html">
					What to Do About Log4j
				</a> 
			</li>
		</ul>
	</div>

	<div class="archived--link">
		<div class="archived--link-text">
			<a href="/en_gb/research.html">
				See all articles
			</a>
		</div>

		<div class="archived--link-icon">
			<a href="/en_gb/research.html">
				<span class="icon-chevron-right"></span>
			</a>
		</div>
	</div>


                </div>
            </div>
        </sidebar>
    </article>
</div></div>

    
</div>
</div>
<div class="footer">

<footer class="container-fluid container-fluid--hybrid">
	<div class="footer"><nav class="links-row">
	<div class="inner-container">
		<ul class="links-col">
			<li>
				<a href="/en_gb/business/get-info-form.html">
					Contact Sales
				</a>
			</li>
		
			<li>
				<a href="/en_gb/contact.html">
					Locations
				</a>
			</li>
		
			<li>
				<a href="/en_gb/about/careers.html">
					Careers
				</a>
			</li>
		
			<li>
				<a href="/en_gb/about/newsroom.html">
					Newsroom
				</a>
			</li>
		
			<li>
				<a href="/en_gb/about/trust-center.html">
					Trust Center
				</a>
			</li>
		
			<li>
				<a href="/en_gb/about/trust-center/privacy.html">
					Privacy
				</a>
			</li>
		
			<li>
				<a href="https://success.trendmicro.com/technical-support" target="_blank" rel="noopener noreferrer">
					Support
				</a>
			</li>
		
			<li>
				<a href="/en_gb/business/sitemap.html">
					Site map
				</a>
			</li>
		</ul>
	</div>
</nav>
<div class="social-copyright-row">
	<div class="inner-container">
		<div class="row">
			<ul class="col-md-6 social-media-links">
				<li>
					<a href="https://www.linkedin.com/company/trend-micro-europe" class="icon-" target="_blank" rel="noopener noreferrer">
						linkedin
					</a>
				</li>
			
				<li>
					<a href="https://twitter.com/trendmicrouk" class="icon-" target="_blank" rel="noopener noreferrer">
						twitter
					</a>
				</li>
			
				<li>
					<a href="https://www.facebook.com/TrendMicroEurope" class="icon-" target="_blank" rel="noopener noreferrer">
						facebook
					</a>
				</li>
			
				<li>
					<a href="https://www.youtube.com/user/TrendMicroEurope" class="icon-" target="_blank" rel="noopener noreferrer">
						youtube
					</a>
				</li>
			
				<li>
					<a href="https://www.instagram.com/trendmicro/" class="icon-" target="_blank" rel="noopener noreferrer">
						instagram
					</a>
				</li>
			
				<li>
					<a href="https://feeds.feedburner.com/TrendMicroSimplySecurity" class="icon-" target="_blank" rel="noopener noreferrer">
						rss
					</a>
				</li>
			</ul>
			<div class="col-md-6">
				<span class="copyright">Copyright © 2021 Trend Micro Incorporated. All rights reserved.</span>
			</div>
		</div>
	</div>
</div>
</div>
</footer>
</div>


			

<!-- /* Core functionality javascripts, absolute URL to leverage Akamai CDN */ -->
<script src="https://www.trendmicro.com/content/dam/trendmicro/global/core-library/sly.min.js"></script>
<script src="https://www.trendmicro.com/content/dam/trendmicro/global/core-library/jwplayer.js"></script>

<script type="text/javascript" src="https://www.youtube.com/iframe_api"></script>

            
    
    
<script type="text/javascript" src="/etc.clientlibs/trendresearch/clientlibs/clientlib-trendresearch.min.js"></script>



    


    

    

    
    

            

            
			<!--For Modal-start-->
			<div class="modal-wrap"></div>
			<div class="jwPlayerString hidden">
				<span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk</span>
			</div>
			<!--For Modal-end-->
        

		<!-- Go to www.addthis.com/dashboard to customize your tools -->
		<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=ra-57bc9d0c3028a052"></script>		
    </body>
</html>
